The decentralized finance ecosystem is reeling from one of the most sophisticated attacks in its history after Radiant Capital lost more than $50 million in digital assets. The breach, which occurred on October 16, 2024, involved advanced malware that compromised the hardware wallets of three long-standing developers during a routine multi-signature emissions adjustment process. As Bitcoin trades near $69,000 and Ethereum hovers around $2,746, the incident serves as a stark reminder that even the most security-conscious protocols remain vulnerable to social engineering at the developer level.
The Exploit Mechanics
According to the post-mortem published by Radiant Capital, the attacker employed highly advanced malware to poison transactions in real time. Three geographically distributed developers—all trusted, long-term contributors to the DAO—had their devices compromised simultaneously. The attackers, widely attributed to North Korean hacking groups with a track record of over $3 billion in crypto thefts between 2017 and 2023, injected malicious code that manipulated what the developers saw on their hardware wallet screens while signing what appeared to be legitimate transactions.
The attack unfolded during a standard multi-signature governance process. Each developer independently verified and signed the transaction on their hardware wallet, believing it to be a routine emissions adjustment. However, the malware intercepted the transaction data between the device interface and the signing process, replacing the intended payload with one that drained liquidity pools across both BNB Chain and Arbitrum networks. The result was a loss exceeding $50 million, including $48 million in the initial attack and an additional $5–6 million siphoned through infinite token approvals that the attackers had secretly embedded.
Affected Systems
The breach impacted Radiant Capital deployments on two major blockchain networks. On BNB Chain, attackers drained lending pools and exploited approval mechanisms to extract additional funds. On Arbitrum, similar tactics were deployed against the protocol cross-chain infrastructure. The fact that the attack vector bypassed hardware wallet security—the gold standard for crypto asset protection—has sent shockwaves through the DeFi community. Radiant had previously suffered a $4.5 million exploit in January 2024 from an unrelated vulnerability, making this the second major security incident in less than a year.
The Mitigation Strategy
In the immediate aftermath, Radiant Capital paused all protocol operations and began coordinating with blockchain security firms including Halborn and Hacken to conduct a comprehensive forensic investigation. The protocol advised all users who had interacted with Radiant contracts to revoke any outstanding token approvals as a precautionary measure. The development team also implemented emergency contract upgrades to prevent further fund extraction through the compromised approval mechanisms.
Security researchers from Hacken noted that the automated incident response systems were not adequately prepared for this type of access control attack. The attack exposed a critical gap in multi-signature security: while multi-sig protects against single points of failure, it does not inherently protect against compromised device-level signing environments.
Lessons Learned
The Radiant Capital hack demonstrates that hardware wallets alone are not sufficient to protect against sophisticated malware attacks. The industry must adopt additional verification layers, including air-gapped signing environments, multi-device verification of transaction hashes before signing, and behavioral monitoring systems that can detect anomalous transaction patterns in real time. Protocols should also consider implementing time-locked execution for high-value governance actions, providing a window for independent security review before transactions are finalized on-chain.
User Action Required
If you have interacted with Radiant Capital on either BNB Chain or Arbitrum, immediately revoke all token approvals associated with the protocol. Monitor official Radiant Capital communication channels for updates on the recovery process and any potential reimbursement plans. Consider reviewing your own security practices, particularly if you use hardware wallets for multi-signature governance roles—ensure your signing environment is free from malware by using dedicated, freshly-imaged devices for transaction verification.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals before making decisions about your digital assets.
3 devs, 3 different locations, all compromised simultaneously. that coordination level is insane. DPRK hackers are operating at nation-state tier
nation-state tier coordination. DPRK has a dedicated crypto hacking unit with full government backing. protocols are fighting governments with multisig wallets
the fact that the malware changed what the hardware wallets displayed is the scariest part. you verify on screen, screen lies to you, you sign. whats the fix?
whats the fix => blind signing is the problem. need a second independent verification layer, like having a separate airgapped device decode the raw tx data
the fix is multi-device verification independent of the signing device. a second laptop running a different tx decoder showing raw calldata
over $3 billion stolen by NK groups since 2017 and exchanges still cant flag the laundering fast enough. the onchain forensics improve but the thieves adapt faster